jeandavid8 at verizon.net
Mon Jun 25 20:13:59 CEST 2012
Robert J. Hansen wrote:
> On 06/24/2012 06:11 PM, Werner Koch wrote:
>> I am telling for more than a decade that PGP 2 should not be used
> The list may find my own timeline of MD5 to be worth reading -- it might
> give some insight into why PGP 2 (in particular the MD5 vulnerabilities)
> tend to engender such passionate responses.
> 1993: Bosselaers and Den Boer present a theoretical break on MD5.
> 1996: Hans Dobbertin breaks MD5. His results are immediately dismissed
> as "theoretical" when they are nothing but. The security of a
> Merkle-Damgard hash (such as MD5) cannot be greater than the
> collision resistance of its compression function. Dobbertin is
> able to break MD5's compression function in *seconds* on desktop
> hardware. The MD5 death clock begins ticking down: we know
> (thanks to Dobbertin) that collisions can be generated against
> the full MD5 in seconds, but we don't yet know how.
> 1997: As an undergraduate, I read Dobbertin's paper and get shocked.
> I start advocating migration to SHA-1 and/or RIPEMD160. Nobody
> listens to me, and maybe rightfully so: after all, I'm just an
> undergrad. That said, I'm in good company: lots of other very
> serious cryppies are advocating the same.
> 1998: Internal debates begin at PGP Security over whether MD5 should
> be considered "deprecated" (technically valid, but advised
> against) or "obsolete" (no longer valid). (This is according
> to Len Sassaman.)
> 2001: People are still using MD5 in applications that need a
> collision-resistant hash function. I begin to get irritated:
> we've had five years to do migrations. Some important people
> within the community at that time (e.g., Imad Faiad) proclaim
> that MD5 is still secure and the vulnerabilities against it
> are still only theoretical and may never come to pass. I begin
> to tell people that if we don't see real MD5 collisions within
> five years to never again believe anything I say.
> 2002: I enter graduate school for computer science and begin working
> in electronic voting. I see systems being developed at that time
> which rely on the collision-resistance of MD5. I begin to get
> unhinged. In order to prove the ineffectiveness of MD5, I begin
> to work on MD5 collisions for my Master's thesis.
> 2004: Shengdong University publishes the first MD5 collisions. I have a
> very long and dejected talk with my advisor about my degree
> plans. I take a Master's without thesis, but I tell my advisor
> I'm looking on the bright side: no one can claim MD5 is still
> safe, right?
> 2004: People continue to say MD5 is still safe, claiming that the
> Shengdong University attacks are impractical -- they can only
> produce collisions in random data, which means you can't forge a
> particular signature on particular data.
> 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and
> the NSA's website. Dan is able to, in realtime, tweak the EFF's
> website with nondisplaying characters in order to make it look
> unchanged from the original but have the same MD5 hash as the
> NSA's website. I was there in the audience and my jaw was on the
> 2005: People continue to say MD5 is still safe, claiming that... oh,
> God, I lose track at this point, honestly. At this point my
> brain shuts down and I begin to believe anyone advocating MD5
> where collision resistance is necessary is living in resolute
> denial of the facts.
> 2008: The first public disclosure of a forged MD5-based SSL certificate.
> 2008: US-CERT issues a Vulnerability Notice which says in plain
> language, "Software developers, Certification Authorities,
> website owners and users should avoid using the MD5 algorithm in
> any capacity." (Ref: http://www.kb.cert.org/vuls/id/836068 )
> 2012: News reports circulate that the Flame virus propagated by forging
> an MD5-based Microsoft signature.
> 2012: On this mailing list, 16 years after experts recommended migrating
> away from MD5 and four years after US-CERT categorically declared
> MD5 to be a "do not use" algorithm, we're having a discussion
> about PGP 2.6, which is deeply married to MD5.
> After reviewing the past 19 years of results on MD5 and the community's
> reaction to them, all I can say is ... nothing, really. I used to be
> able to get a lot of outrage summoned up over this subject, but now I've
> been reduced to making faint whimpering noises.
A new scientific truth does not triumph by convincing opponents and
making them see the light, but rather because its opponents eventually
die, and a new generation grows up that is familiar with it.
-- Max Planck
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 14:10:01 up 13 days, 24 min, 3 users, load average: 4.28, 4.34, 4.24
More information about the Gnupg-users